WhatsApp —
The Illusion
of Privacy

Encrypted — but not invisible

WhatsApp uses the Signal protocolSignal ProtocolCryptographic protocol for end-to-end encryption, developed by Open Whisper Systems. Considered the gold standard. Also used by Signal, iMessage and Threema. Open source and audited by experts. for end-to-end encryption. This means: messages cannot be read even by WhatsApp and Meta — that is called end-to-end encryptionEnd-to-end encryption (E2EE)Encryption whereby only the sender and recipient can decrypt messages. The provider itself has no access. Protects content — but not metadata such as timing, frequency or communication partners.. This is real — and important. But it is only part of the story.

What WhatsApp nonetheless collects and passes on to Meta is set out in its own privacy policy (as of March 2025):

• Account data: Phone number, profile picture, status text
• Your complete address book — including people who have never installed WhatsApp
• Usage data: When you open the app, how long, how often
• Device data: Manufacturer, model, operating system, battery level, available storage
• Network data: IP address, internet provider, mobile network
• Communication metadataMetadataData about data: not the content of a message, but the circumstances — who, when, how often, from where. Metadata can reveal health, political conviction, relationships and financial situation without reading a single message.: Who communicates with whom, when, how often — without the content
• Location: IP-based estimate, even without GPS enabled
• Interactions with businesses: Which WhatsApp Business accounts you have contacted

The contact list trap

Particularly consequential: when setting up the app, WhatsApp uploads the entire address bookAddress book uploadWhen setting up, WhatsApp uploads all phone numbers from the contacts storage — including those of people who have never installed WhatsApp and have never consented to data transfer. Controversial under data protection law; classified as unlawful in several proceedings.. This also affects people who have never installed WhatsApp and have never consented to the processing of their data. The NRW State Commissioner for Data Protection established in 2025:

19 billion dollars and a handshake ↑ top

When Facebook bought WhatsApp in February 2014 for 19 billion dollars, WhatsApp co-founder Jan Koum made a public assurance: "Respect for your privacy is coded into our DNA." Zuckerberg promised: WhatsApp would remain independent.

Real-time metadata every 15 minutes ↑ top

On 7 January 2021 the FBI produced an internal document titled "Lawful Access" — an overview of which data nine popular messaging services can hand over to law enforcement. The document was made public through a Freedom of Information requestFreedom of Information Act (FOIA)US federal law from 1966. Gives citizens and journalists the right to request government documents. The basis for many investigative disclosures — including the FBI document on WhatsApp data handovers. and published by Rolling Stone in November 2021.^[9]

The FBI document notes: "The return data from the other listed services are indeed logs of latent data that are not provided to law enforcement in real time."

WhatsApp confirmed this practice to Rolling Stone — and framed it as a strength: it shows "that law enforcement does not need to break end-to-end encryption to successfully investigate crime." The encryption is thus intact — and simultaneously useless, once the metadata already reveals everything.

What authorities receive — with and without a judge

Without a search warrant WhatsApp delivers: subscriber data (name, phone number, email, IP address), registration date, sender and recipient data, the target's contact list, and the date and time of every communication — and on pen register request: real-time metadata every 15 minutes.

With a search warrantSearch WarrantJudicially ordered authorisation for data seizure. Higher legal threshold than a pen register. Regulated in the US by the Fourth Amendment. Enables access to stored message content. there is additional access to: backups of WhatsApp messages — insofar as these are not stored in encrypted form in the cloud — which is the default case with iCloud and Google DriveCloud backup encryptionWhatsApp backups in iCloud or Google Drive are by default NOT end-to-end encrypted. Apple and Google can hand them over on behalf of authorities. Since 2021 it has been possible to enable E2E-encrypted backups in WhatsApp settings — but it is opt-in. when users have not manually activated end-to-end encryption for backups.

WhatsApp vs. Signal: a direct comparison

Feature	WhatsApp	Signal
Message content	Encrypted, unreadable	Encrypted, unreadable
Metadata to authorities	Extensive, 15-min. real time	Registration date + last use only
Contact list	Forwarded to Meta	Not stored
Backup encryption	Optional, must be activated manually	Enabled by default
Advertising profiling	Yes, via Meta	None (non-profit)

Natalie Edwards: convicted by metadata ↑ top

The investigative outlet ProPublica documented a concrete case in 2021 that shows what metadata means in practice.

Natalie Edwards, a senior adviser at the US Treasury Department, leaked confidential bank reports to BuzzFeed News. The FBI monitored her WhatsApp connections via pen register. The log recorded: on 1 August 2018, "Edwards' device exchanged approximately 70 messages over the encrypted application within about six hours of the pen register being activated" — in a 20-minute window during the night.

"We kill people based on metadata" ↑ top

Metadata seems harmless. It is not. Who communicates with whom, when, how often, for how long — this permits far-reaching conclusions:

Former NSA Director Michael Hayden stated publicly in 2014: "We kill people based on metadata."^[16]

The spyware that used WhatsApp as an entry point ↑ top

In May 2019, WhatsApp engineers discovered an active attack campaign. The Israeli spyware manufacturer NSO Group had exploited a security vulnerabilityZero-click exploitAn attack requiring no interaction whatsoever from the victim — no click, no opening of a file. The device is compromised solely by receiving a specially crafted call or packet. Considered the most dangerous category of attack. in WhatsApp's audio call function to install the surveillance software PegasusPegasus spywareState-level trojan from the Israeli NSO Group. Once installed, it can extract all data from a smartphone: messages, photos, microphone, camera, location — including from encrypted apps. Sold to governments; repeatedly used against journalists and activists. on target devices — without any interaction from the victim. The device only needed to receive the call.

1,400 devices in 51 countries were compromised — including 456 in Mexico, 100 in India, 82 in Bahrain. Among those affected were journalists, human rights activists, diplomats and government officials.

WhatsApp sued NSO Group in October 2019. The proceedings yielded decisive findings:

• November 2024: Sworn testimony reveals that NSO itself — not its government customers — installed the spyware and extracted data. NSO employees communicated during this process, ironically, via WhatsApp.
• December 2024: Federal judge Phyllis Hamilton finds: NSO violated US federal law, California state law and WhatsApp's terms of service.
• May 2025: A federal jury awards WhatsApp/Meta $167.25 million in punitive damages and $444,719 in compensatory damages.^[11]
• October 2025: Judge Hamilton drastically reduces the punitive damages to approximately $4 million (ratio of 9:1 to compensation) — a reduction of 97%. At the same time she issues a permanent injunction: NSO Group is permanently prohibited from targeting WhatsApp users or using WhatsApp systems — the first ruling of this kind against a commercial spyware vendor in the United States.

Over €230 million — and proceedings that took eleven years ↑ top

Date	Authority	Amount	Reason
Sept. 2021	DPC Ireland	€225m	Lack of transparency: users not sufficiently informed. Initially €30–50m planned, increased under pressure from the EDPB.
Jan. 2023	DPC Ireland	€5.5m	Insufficient legal basis for data processing for service improvements
Nov. 2024	CCI India	~€25m	Abuse of market dominance through the "take-it-or-leave-it" policy of 2021

The original proceedings that led to the €225 million fine began with a complaint on 25 May 2018 — the first day the GDPRGDPR (General Data Protection Regulation)EU data protection law, in force since 25 May 2018. Applies to all companies processing data of EU citizens — regardless of company location. Fines of up to 4% of global annual turnover or €20 million. came into effect. The Austrian Supreme Court confirmed a similar case by Max Schrems in December 2025 with final legal force — after eleven years of proceedings.^[3]

Banned for authorities — yet still used ↑ top

As early as 2020, the then Federal Commissioner for Data Protection Ulrich Kelber sent a circular to all senior federal authorities and federal ministries:

The reasoning: the mere act of sending messages transmits metadata to WhatsApp, which then passes to Meta and contributes to profiling. Even an individual authority employee may not use WhatsApp for official purposes if metadata from third parties — i.e. citizens — is generated in the process. The BfDI confirmed in 2024: "This assessment has not changed." (Kelber's term ended in January 2024; since September 2024, Prof. Dr. Louisa Specht-Riemenschneider has been Federal Commissioner for Data Protection.)

Yet it still happens. netzpolitik.org surveyed the BKA and all 16 state criminal investigation offices in 2021 regarding WhatsApp metadata requests. Not a single authority cited concrete figures. The Saxon authority openly explained the common practice:

WhatsApp operates a dedicated online request portal for such enquiries.

€25 million fine and an outraged Supreme Court ↑ top

In January 2021 WhatsApp imposed a new privacy policy: agree or lose access to the app. India's Competition Commission CCICompetition Commission of India (CCI)Indian competition authority, founded in 2003. Investigates abuses of market dominance and antitrust violations. In the WhatsApp case: fine of approximately €25 million for abuse of market dominance through the mandatory privacy policy of 2021. opened proceedings on its own initiative. After a three-and-a-half-year investigation, the ruling came in November 2024: approximately €25 million in fines. WhatsApp had abused its market dominance through the mandatory policy — users had "no genuine choice".^[7]

In November 2025 the appellate court (NCLAT) lifted the five-year advertising data ban, but confirmed the fine and transparency requirements. The CCI itself has appealed to the Supreme Court against the lifting of the advertising ban — the proceedings have not yet reached a final conclusion.

Meta contested the ruling before the Supreme Court of India. The court responded on 3 February 2026 with unusual sharpness, declaring it would not allow WhatsApp or Meta to "play with" the privacy rights of Indian citizens or "make a mockery" of the constitution. On 24 February 2026, WhatsApp declared it would implement the CCI requirements by 16 March 2026.^[14]

Update December 2025 / early 2026

WhatsApp introduces advertising in the Status tab: From December 2025, adverts appear between status updates and in the Channels section — for the first time directly within WhatsApp. The basis for targeting: location, language, subscribed channels and advertising interactions. End-to-end encryption of messages remains unaffected — but WhatsApp is no longer an advertising-free service.

EU antitrust proceedings over AI exclusivity: In December 2025, the EU Commission opened antitrust proceedings against Meta after WhatsApp had in October 2025 blocked third-party AI assistants from the Business API. In February 2026 the Commission sent a statement of objections and threatened interim measures. Possible penalty: up to 10% of global annual turnover.

Encryption is the beginning — not the end ↑ top

WhatsApp protects the content of your messages. That is real and important. But encryption is not privacy — it is a part of it.

What is not protected: who you are, who your contacts are, when you write, where you are, with whom you communicate how often. This metadata is passed to Meta, delivered to authorities and used for advertising profiles — contrary to all the promises made at the time of the 2014 acquisition.